Store .sorry and .oldshell outside of user dir

[kpengboy]

We currently store the sorry reason and old shell in the ~/.sorry and ~/.oldshell files respectively of the sorried user. This is a dangerous practice, because:

• If the user had something valuable in the ~/.sorry file, we overwrite it.
• If the user had an existing ~/.oldshell file, we lose the info about the old shell.
• Worst of all, ~/.sorry could be a symlink created by an attacker to point to important system files. In that case, we would just overwrite those files. (And the scary thing is the script, running as root, actually has permissions to do this.)

We should store this information elsewhere, preferably in a directory that only we control.

[cg505]

Worst of all, ~/.sorry could be a symlink created by an attacker to point to important system files. In that case, (And the scary thing is we are writing to those files with a script running as root.)

This can be addressed without moving these files outside of the user homedir (and probably should since this is definitely a concern). FWIW, we will overwrite the symlink unless it is to a directory (in which case we will place the sorryfile in the linked directory).

[kpengboy]

Still though, I think that assuming we control certain arbitrary files in the user's homedir is an antipattern.

[axmmisaka]

While storing stuff elsewhere would be a better idea (or probably in a separate db or somethin), a workaround would be create placeholders owned by sudo at ~/.sorry and ~/.oldshell and stuff